Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 195571
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo Security <security@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Robert Buchholz <rbu@gentoo.org>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 195571 depends on: Show dependency tree
Bug 195571 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2007-10-12 01:49 0000 
CVE-2007-3382 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3382):
  Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to
  4.1.36, and 3.3 to 3.3.2 treats single quotes ("'") as delimiters in cookies,
  which might cause sensitive information such as session IDs to be leaked and
  allow remote attackers to conduct session hijacking attacks.

CVE-2007-3385 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3385):
  Apache Tomcat 6.0.0 to 6.0.13, 5.5.0 to 5.5.24, 5.0.0 to 5.0.30, 4.1.0 to
  4.1.36, and 3.3 to 3.3.2 does not properly handle the \" character sequence
  in a cookie value, which might cause sensitive information such as session
  IDs to be leaked to remote attackers and enable session hijacking attacks.

------- Comment #1 From Robert Buchholz 2007-10-12 01:58:28 0000 ------- 
*** Bug 195563 has been marked as a duplicate of this bug. ***

------- Comment #2 From Robert Buchholz 2007-10-12 02:01:49 0000 ------- 
Sorry for rudely closing the other bug.

Arches, please test and mark stable www-servers/tomcat-5.5.25 and its deps:
dev-java/eclipse-ecj-3.3.0-r1
dev-java/tomcat-servlet-api-5.5.25

Target keywords are: "amd64 x86 ~x86-fbsd"

------- Comment #3 From William L. Thomson Jr. (RETIRED) 2007-10-12 02:47:55 0000 ------- 
amd64 stable

------- Comment #4 From Christian Faulhammer 2007-10-12 08:32:13 0000 ------- 
x86 stable, last arch, open for GLSA vote

------- Comment #5 From Christian Faulhammer 2007-10-12 10:15:57 0000 ------- 
Adding BSD back, your KEYWORD is missing.  Anyway, GLSA vote is still valid.

------- Comment #6 From Roy Marples (RETIRED) 2007-10-12 11:35:19 0000 ------- 
Added our keyword back. Next time a bsd keyword gets dropped please say so on
the bug as we automatically remove ourselves on stable requests as we have no
stable keyword at this time.

------- Comment #7 From Sune Kloppenborg Jeppesen 2007-10-17 19:27:40 0000 ------- 
I tend to vote NO.

------- Comment #8 From Pierre-Yves Rofes 2007-10-17 22:21:52 0000 ------- 
I vote NO.

------- Comment #9 From Robert Buchholz 2007-11-12 21:50:48 0000 ------- 
Voting no and closing. Feel free to reopen if you disagree.
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug